us-18-Metcalf-From-Workstation-To-Domain-Admin-Why-Secure-Administration-Isnt-Secure-Final
advertisement
From Workstation to Domain Admin: Why Secure Administration Isn't Secure and How to Fix It Sean Metcalf CTO, Trimarc ABOUT • Founder Trimarc (Trimarc.io), a professional services company that helps organizations better secure their Microsoft platform, including Active Directory & the Microsoft Cloud. • Microsoft Certified Master (MCM) Directory Services • Speaker: Black Hat, Blue Hat, BSides, DEF CON, DerbyCon, Shakacon, Sp4rkCon • Security Consultant / Researcher • Own & Operate ADSecurity.org (Microsoft platform security info) Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] AGENDA • Current State • Evolution of Administration • Exploiting Typical Administration • Common Methods of Protecting Admins (& bypassing them) • MFA • Enterprise Password Vaults • Admin Forest • Building the Best Defenses Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Note: Some company products are mentioned in this presentation and deployment concerns are noted – these are not new vulnerabilities. Current State of Security Many organizations have upgraded security • Deployed EDR security tooling with distributed EDR agents • Event logging agents • Flow security events to a SIEM • Vulnerability scanning • Security software agents Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Most have not changed how Active Directory is managed. In the beginning… There was a workstation Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Then we added Desktop Support Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Then we deployed agents for Patching Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Then we switched to a Management system for software deployment/updates & patching Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] The Result 1 workstation 30 accounts in the local Administrators group. 50 accounts with local admin via the software management system. 20 accounts with control of the computer via security agent(s). ====== ~ 100 accounts with effective admin rights on the workstation Who has control of your workstation? Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] The Evolution of Administration Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Where We Were • In the beginning, there were admins everywhere. • Sometimes, user accounts were Domain Admins. • Every local Administrator account has the same name & password. • Some environments had almost as many Domain Admins as users. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Where We Were This resulted in a target rich environment with multiple paths to exploit. Traditional methods of administration are trivial to attack and compromise due to admin credentials being available on the workstation. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Where We Were: “Old School Admin Methods” • Logon to workstation as an admin • Credentials in LSASS. • RunAs on workstation and run standard Microsoft MMC admin tools ("Active Directory Users & Computers“) • Credentials in LSASS. • RDP to Domain Controllers or Admin Servers to manage them • Credentials in LSASS on remote server. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Where We Were: “Old School Admin Methods” Sean Metcalf [@Pyrotek3 | Where Are We Now: Newer “Secure" Admin Methods Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Where Are We Now: Newer “Secure" Admin Methods Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Where Are We Now: Newer “Secure" Admin Methods Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Exploiting Typical Administration Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Exploiting Typical Administration Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Exploiting Typical Administration Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Exploiting Typical Administration Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Exploiting Typical Administration Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Exploiting Typical Administration Exploiting Typical Administration Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Exploiting Typical Administration From AD Admin Credential to DCSync Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] What About MFA? Let’s MFA that RDP Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Multi-Factor Authentication Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Multi-Factor Authentication Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Fun with MFA Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Fun with MFA Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Fun with MFA Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Subverting MFA What if an attacker could bypass MFA without anyone noticing? Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Subverting MFA ACME has enabled users to update several attributes through a selfservice portal. • These attributes include: • • • • Work phone number Work address Mobile number Org-specific attributes Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Subverting MFA ACME has enabled users to update several attributes through a selfservice portal. • These attributes include: • • • • Work phone number Work address Mobile number Org-specific attributes Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Subverting MFA ACME has enabled users to update several attributes through a selfservice portal. • These attributes include: • • • • Work phone number Work address Mobile number Org-specific attributes Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Subverting MFA Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Subverting MFA Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Subverting MFA Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Subverting MFA through SMS Summary • Company uses self-service to enable users to update basic user information attributes. • Attacker compromises user account/workstation and performs selfservice update of Mobile/Cell Phone Number to one the attacker controls. • Attacker compromises admin user name & password • Attacker leverages “backdoor” SMS/text message for MFA to use admin credentials. • Game over. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Subverting MFA https://www.n00py.io/2018/08/bypassing-duo-two-factor-authentication-fail-open/ Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] MFA Recommendations • Don’t rely on MFA as the primary method to protect admin accounts. • Use hardware tokens or App & disable SMS (when possible). • Ensure all MFA users know to report anomalies. • Research “Fail Closed” configuration on critical systems like password vaults and admin servers. • Remember that once an attacker has AD Admin credentials, MFA doesn’t really stop them. • Identify potential bypass methods & implement mitigation/detection. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] So, does MFA have value? YES. Please MFA all the things! (just don’t count on MFA to be a silver bullet for security) Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] There’s Something About Password Vaults Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Enterprise Password Vault • Being deployed more broadly to improve administrative security. • Typically CyberArk or Thycotic SecretServer. • “Reconciliation” DA account to bring accounts back into compliance/control. • Password vault maintains AD admin accounts. • Additional components to augment security like a “Session Manager”. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Enterprise Password Vault Password Vault Option #1: Check Out Credential • Connect to Password Vault & Check Out Password (Copy). • Paste Password into RDP Logon Window HTTPS Workstation PW Password Password Vault RDP Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Admin Server Attacking Enterprise Password Vault Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Attacking Enterprise Password Vault Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Attacking Enterprise Password Vault Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Attacking Enterprise Password Vault Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Attacking Enterprise Password Vault Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Enterprise Password Vault Password Vault Option #2: RDP Proxy • Password vault as the "jump" system to perform administration with no knowledge of account password. Workstation HTTPS Password Vault RDP Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Admin Server Enterprise Password Vault Password Vault Option #2: RDP Proxy • Password vault as the "jump" system to perform administration with no knowledge of account password. What account is What account is used to log on here? used to log on here? Workstation HTTPS Are network comms limited to the PV Is MFA used? Password Vault RDP Who administers this server? Admin Server Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Exploit Password Vault Access Compromise the Browser on the Workstation to compromise vault access Sean Metcalf [@Pyrotek3 | Exploit Password Vault Administration Sean Metcalf [@Pyrotek3 | Password Vaults on the Internet Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Password Vaults on the Internet Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Password Vault Config Weaknesses • Authentication to the PV webserver is typically performed with the admin’s user account. • Connection to the PV webserver doesn’t always require MFA. • The PV servers are often administered like any other server. • Anyone on the network can send traffic to the PV server (usually). • Sessions aren’t always limited creating an opportunity for an attacker to create a new session. • Vulnerability in PV can result in total Active Directory compromise. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] CyberArk RCE Vulnerability (April 2018) • CVE-2018-9843: “The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary code via a serialized .NET object in an Authorization HTTP header.” • Access to this API requires an authentication token in the HTTP authorization header which can be generated by calling the “Logon” API method. • Token is a base64 encoded serialized .NET object ("CyberArk.Services.Web.SessionIdentifiers“) and consists of 4 string user session attributes. • The integrity of the serialized data is not protected, so it’s possible to send arbitrary .NET objects to the API in the authorization header. • By leveraging certain gadgets, such as the ones provided by ysoserial.net, attackers may execute arbitrary code in the context of the web application. https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution CyberArk RCE Vulnerability Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution What about Admin Forest? (aka Red Forest) Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Admin Forest = Enhanced Security Administrative Environment (ESAE) Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Admin Forest Key Components • New AD Forest with high security configuration. • ESAE forest is isolated from the production network with strong network controls (firewalled encrypted communication). • Production AD Forest has a 1-way trust with the Admin Forest. • Production AD admin groups are empty, except group for ESAE admin groups. • Admin groups/accounts in ESAE can’t admin ESAE. • All systems run the latest workstation & server OS version. • Auto-patching by ESAE management/patching system. • Production AD admin accounts in ESAE should not retain full-time Production AD admin group membership and require MFA for authentication. • ESAE should be carefully monitored for anomalous activity. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Admin Forest Pros & Cons Pros Cons • Effectively isolates Domain Admins and other Active Directory Admins. • When deployed properly, the Red Forest can be effective in limiting attacker AD privileged access. • Expensive to deploy. • Greatly increases management overhead & cost. • Duplicate infrastructure. • Doesn’t fix production AD issues. • Doesn’t resolve expansive rights over workstations & servers. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] What about Production AD privileged Service Accounts? Admin Forest Implementation • Assume Breach • Before deploying, check the environment • Start clean, stay clean • If the production AD environment is compromised, what does ESAE buy you? • What should be done first? Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Admin Forest Discovery Admin Forest Discovery Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] How effective is the Admin Forest? Forest/Admin Forest Sean Metcalf [@Pyrotek3 | Exploiting Prod AD with an AD Admin Forest • Deployments often ignore the primary production AD since all administrators of the AD forest are moved into the Admin Forest. • They often don't fix all the issues in the production AD. • They often ignore service accounts. • Agents on Domain Controllers are a target – who has admin access? • Identify systems that connect to DCs with privileged credentials on DCs (backup accounts). Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Cross-Forest Administration Forest A Forest A Domain Admin Account Trust Forest B RDP Result: Full Compromise of the Production Active Directory Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Cross-Forest Administration • Production (Forest A) <--one-way--trust---- External (Forest B) • Production forest AD admins manage the External forest. • External forest administration is done via RDP. • Production forest admin creds end up on systems in the External forest. • Attacker compromises External to compromise Production AD. Mitigation: • Manage External forest with External admin accounts. • Use non-privileged Production forest accounts with External admin rights. Sean Metcalf (@PyroTek3) TrimarcSecurity.com Building the Best Defenses Securing Active Directory Administration Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Photo by DAVID ILIFF. License: CC-BY-SA 3.0 AD Defensive Pillars Administrative Credential Isolation & Protection Hardening Administrative Methods Reducing & Limiting Service Account Rights Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Effective Monitoring Administrative Credential Isolation & Protection • Focus on protecting admin credentials. • Separate AD admin account from user account. • Separate AD admin account from other admin accounts. • Use distinct naming - examples: • ADA – AD Admins • SA – Server Admins • WA – Workstation Admins • Ensure AD admin accounts only logon to secured systems • AD Admin Workstations • AD Admin Servers • Domain Controllers Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Why Admin Workstations? • The battle has moved from the perimeter to workstations on the network. • Management of regular workstations provides a common escalation path. • Credentials found on workstations are often used to elevate privileges. • Builds on the concept of separate accounts for user activities and administrative tasks. Keep in mind that any agent that can install/run code typically has Admin/System rights to the computer. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Hardening Administrative Methods •AD Administration Systems: • Isolate and protect privileged credentials. • Provide a secure environment for admins to perform required privileged tasks. • Disrupt the common attack playbook. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Hardening Administrative Methods • System Configuration: • Only admin accounts can logon (though with no admin rights) • Separate administration • Separate management/patching from other systems • Auto-patching • Firewalled from the network, only allowing specific admin comms • Restrict access to management protocols (RDP, WMI, WinRM, etc) • Enforce Network Level Authentication (NLA) for all RDP connections. • Leverage MFA where possible for additional administration security (typically used for RDP to Admin Server). Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Hardening Administrative Methods Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Hardening Administrative Methods Microsoft Tier Model: • Difficult and costly to implement. • Duplicates infrastructure & admin accounts. • Rarely fully implemented. • Focus on Tier 0 (Domain Controllers and AD Admins first). Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Hardening Administrative Methods Microsoft Tier Model: What is Tier 0? • Domain Controllers • Privileged AD Accounts & Systems • AD Admins • Service accounts • AD Admin workstations & server • ADFS & Federation Servers • Azure AD Connect Servers (when synchronizing password hash data) • PKI infrastructure • Password vault systems that contain/control AD admin credentials • Tier 0 management systems Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Admin Systems: Convincing Admins • Admins that are typically mobile and use a laptop will likely require a 2nd laptop. • Admins are less than excited when told they have to use separate systems for administration. • The people most impacted are the ones who have to implement. • Use this opportunity to refresh admin hardware • There are several options for small, lightweight laptop and supports all Windows 10 security features (Microsoft Surface devices) • Explain that admin workstations are now a requirement to protect computer systems (& creds on the system). • Isolating & protecting admin credentials is critical or AD will be owned. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Admin Systems: Convincing Management • Isolating & protecting admin credentials is critical. • Admin systems and new security controls like MFA are now required. • These systems and controls will slow resolution of issues, but will also slow/stop attackers. • The cost of extra hardware and additional operations time is much cheaper than recovering from a breach (IR = $$$). • Start slow and build up with gradual changes. • Collaboration & Partnering of All Teams Involved is Important. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] A Workable Admin System • Separate physical devices are best, but not always feasible. • Goal is to isolate admin credentials. • Start with an admin workstation that leverages virtualization for a good blend of security and operational ability. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] A Workable Admin System • Host OS is the “admin environment” • “User environment” is a VM on the system – no admin accounts or activities occur in this environment. • Admin user only uses their user account to logon to the user VM. • Admin user uses a “transition” account to logon to the host OS. This account has no admin rights and is the only one that logon to the host OS. • Once on the Admin system, an AD admin account is used to RDP to Admin Server. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] A Workable Admin System User Environment VM “Regular User Account” “Transition Account” AD Admin Account RDP Admin Workstation Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Admin Server A Workable Admin System User Environment VM “Regular User Account” “Transition Account” MFA HTTPS Password Vault RDP Admin Workstation Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Admin Server Admin Workstation Deployment • Phase 1: Active Directory Admins • Phase 2: Virtual Infrastructure Admins • Phase 3: Cloud Admins • Phase 4: Server Admins • Phase 5: Workstation Admins Note that these phases may be performed at the same time as others. PKI & Mainframe Admins need Admin Workstations too! Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] The new standard for AD Admins • Only ever logon to: • Domain Controllers • AD Admin workstation • AD Admin servers • AD Admin accounts are always separate from other administration. • AD Admins are prevented from logging on to lower tier systems. • No Service Accounts with AD Admin rights. • Ensure all local Administrator accounts have unique passwords. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Reducing & Limiting Service Account Rights • Service Accounts are almost always over-privileged • Vendor requirements • Too often are members of AD admin groups • Domain Admins • Administrators • Backup Operators • Server Operators • Rarely does a service account actually require Domain Admin level rights. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Product Permission Requirements • Domain user access • Operations systems access • Mistaken identity – trust the installer • AD object rights • Install permissions on systems • Needs System rights • Active Directory privileged rights • Domain permissions during install • More access required than often needed. • Initial start/run permissions • Needs full AD rights Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Product Permission Requirements • Domain user access • Active Directory privileged • Operations systems access rights • Domain permissions during • Mistaken identity – trust the installer • AD object rights • Install permissions on systems • Needs System rights install • More access required than often needed. • Initial start/run permissions • Needs full AD rights Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Common Service Accounts in Domain Admins • Vulnerability Scanning Tool • • • • Split scanning into different scan “buckets” Workstations with a VulnScan-wrk service account Servers with a VulnScan-srv service account Domain Controllers with a VulnScan-DC service account. • Backup • Move to the Backup Operators group which should provide the required rights. • VPN • Delegate the appropriate rights (often only requires the ability to reset account passwords) • SQL • There is never a good reason for a SQL service account to have privileged AD rights. Remove the account(s) from AD admin groups. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Conclusion • Traditional AD Administration must evolve with the threats to effectively protect Active Directory. • Most organizations have done "something" to better secure their environment, thought it’s often not enough. • Priority #1: Remove accounts & service accounts from AD privileged groups. • Priority #2: Protect & Isolate AD Admin credentials by ensuring the credentials are limited to specific systems. Sean Metcalf [@Pyrotek3 | Questions? Like my talk? Please Submit an Evaluation Sean Metcalf (@Pyrotek3) s e a n [@] TrimarcSecurity.com www.ADSecurity.org TrimarcSecurity.com Slides: Presentations.ADSecurity.org BONUS CONTENT: Effective Active Directory Monitoring Configuration Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Effective Monitoring Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Effective Monitoring Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Effective Monitoring auditpol.exe /get /category:* Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Recommended DC Auditing • DS Access • Account Logon • Audit Credential Validation: S&F • Audit Kerberos Authentication Service: S&F • Audit Kerberos Service Ticket Operations: Success & Failure • Account Management • Audit Directory Service Access: S&F • Audit Directory Service Changes: S&F • Logon and Logoff • • • • Audit Account Lockout: Success Audit Logoff: Success Audit Logon: S&F Audit Special Logon: Success & Failure • Audit Computer Account Management: S&F • Audit Other Account Management Events: S&F • System • Audit Security Group Management: S&F • Audit IPsec Driver : S&F • Audit User Account Management: S&F • Audit Security State Change : S&F • Detailed Tracking • Audit Security System Extension : S&F Audit System Integrity : S&F • Audit DPAPI Activity: S&F • Audit Process Creation: S&F Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Special Logon Auditing (Event ID 4964) • Track logons to the system by members of specific groups (Win 7/2008 R2+) • Events are logged on the system to which the user authenticates. • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit (Event ID 4908: updated table) • Local Accounts: S-1-5-113 • Domain Admins: S-1-5-21-[DOMAIN]-512 • Enterprise Admins: S-1-5-21-[FORESTROOTDOMAIN]-519 • Custom Group: Create a new group Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] • Administrators : S-1-5-32-544 (Could be noisy) https://blogs.technet.microsoft.com/jepayne/2015/11/26/tracking-lateral-movement-part-one-special-groups-andspecific-service-accounts/ Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] EventID Description Impact 4768 Kerberos auth ticket (TGT) was requested Track user Kerb auth, with client/workstation name. 4769 User requests a Kerberos service ticket Track user resource access requests & Kerberoasting 4964 Custom Special Group logon tracking Track admin & “users of interest” logons 4625/4771 Logon failure Interesting logon failures. 4771 with 0x18 = bad pw 4765/4766 SID History added to an account/attempt failed If you aren’t actively migrating accounts between domains, this could be malicious 4794 DSRM account password change attempt If this isn’t expected, could be malicious 4780 ACLs set on admin accounts If this isn’t expected, could be malicious 4739/643 Domain Policy was changed If this isn’t expected, could be malicious 4713/617 Kerberos policy was changed If this isn’t expected, could be malicious 4724/628 Attempt to reset an account's password Monitor for admin & sensitive account pw reset 4735/639 Security-enabled local group changed Monitor admin/sensitive group membership changes 4737/641 Security-enabled global group changed Monitor admin/sensitive group membership changes 4755/659 Security-enabled universal group changed Monitor admin & sensitive group membership changes 5136 A directory service object was modified Monitor for GPO changes, admin account modification, specific user attribute modification, etc. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Event IDs that Matter: Domain Controllers EventID Description Impact 1102/517 Event log cleared Attackers may clear Windows event logs. 4610/4611/4 614/4622 Local Security Authority modification Attackers may modify LSA for escalation/persistence. 4648 Explicit credential logon Typically when a logged on user provides different credentials to access a resource. Requires filtering of “normal”. 4661 A handle to an object was requested SAM/DSA Access. Requires filtering of “normal”. 4672 Special privileges assigned to new logon Monitor when someone with admin rights logs on. Is this an account that should have admin rights or a normal user? 4723 Account password change attempted If it’s not an approved/known pw change, you should know. 4964 Custom Special Group logon tracking Track admin & “users of interest” logons. 7045/4697 New service was installed Attackers often install a new service for persistence. 4698 & 4702 Scheduled task creation/modification Attackers often create/modify scheduled tasks for persistence. Pull all events in Microsoft-Windows-TaskScheduler/Operational 4719/612 System audit policy was changed Attackers may modify the system’s audit policy. 4732 A member was added to a (securityenabled) local group Attackers may create a new local account & add it to the local Administrators group. 4720 A (local) user account was created Attackers may create a new local account for persistence. Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Event IDs that Matter: All Windows systems Event IDs that Matter (Newer Windows systems) EventID Description Impact 3065/3066 LSASS Auditing – checks for code integrity Monitors LSA drivers & plugins. Test extensively before deploying! 3033/3063 LSA Protection – drivers that failed to load Monitors LSA drivers & plugins & blocks ones that aren’t properly signed. 4798 A user's local group membership was enumerated. Potentially recon activity of local group membership. Filter out normal activity. LSA Protection & Auditing (Windows 8.1/2012R2 and newer): https://technet.microsoft.com/en-us/library/dn408187(v=ws.11).aspx 4798: A user's local group membership was enumerated (Windows 10/2016): https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4798 Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] Logon Type # Name Description Creds on Disk Creds in Memory Distribution 0 System Typically rare, but could alert to malicious activity Yes Yes * 2 Interactive Console logon (local keyboard) which includes server KVM or virtual client logon. Also standard RunAs. No Yes #5 / 0% 3 Network Accessing file shares, printers, IIS (integrated auth, etc), PowerShell remoting No No #1 / ~80% 4 Batch Scheduled tasks Yes Yes #7 / 0% 5 Service Services Yes Yes #4 / <1% 7 Unlock Unlock the system No Yes #6 / <1% 8 Network Clear Text Network logon with password in clear text (IIS basic auth). If over SSL/TLS, this is probably fine. Maybe Yes #2 / ~15% 9 New Credentials RunAs /NetOnly which starts a program with different credentials than logged on user No Yes #3 / < 1% 10 Remote Interactive RDP: Terminal Services, Remote Assistance, R.Desktop Maybe Yes* #9 / 0% 11 Cached Interactive Logon with cached credentials (no DC online) Yes Yes #8 / 0% A Note About Logon Types (EventID 4624) Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] References • Securing Active Directory – An Overview of Best Practices https://technet.microsoft.com/en-us/library/dn205220.aspx • Microsoft: Securing Privileged Access Reference Material https://technet.microsoft.com/en-us/library/mt631193.aspx • Mimikatz https://adsecurity.org/?page_id=1821 • Attack Methods for Gaining Domain Admin Rights in Active Directory https://adsecurity.org/?p=2362 • Exploit Duo FailOpen https://www.n00py.io/2018/08/bypassing-duo-two-factor-authentication-fail-open/ Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com] References • Microsoft Local Administrator Password Solution (LAPS) https://adsecurity.org/?p=1790 • The Most Common Active Directory Security Issues and What You Can Do to Fix Them https://adsecurity.org/?p=1684 • How Attackers Dump Active Directory Database Credentials https://adsecurity.org/?p=2398 Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com]
